[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Considering OpenLDAP - Functionality Questions.

>I work at a University in the US Mountain West. We're looking to implement a
>Directory tree to handle user account management for computer labs and
>workstations. Once we're rolled out we'll want to allow different
>organizations to manage certain aspects of their organization,
>represented as organizational units in the tree. Consequently, most
>accounts would have read access to portions of all the information
>(home directory, UIDs, default shell, etc). Organizational Admins would
>also have full read access of their scope of the tree, as well as
>modify privileges in certain circumstances. We would also want to
>maintain central administration of the entire tree. I'm familiar with
>some other directory products such as eDirectory and Active Directory,
>but not OpenLDAP specifically. I'd appreciate it if any of you could
>take a moment or two to answer some "pre-sales" type questions. (I
>wasn't able to find the answers on my own).
>Example of our directory structure
> dc=University,dc=edu
>  |
>  ou-Org Unit 1
>  |    |
>  |    cn-Admin Org 1
>  |    cn-user1a
>  |    cn-user1b
>  |
>  ou-Org Unit 2
>       |
>       cn-Admin Org 2
>       cn-user2a
>       cn-user2b
> (and so on)
>Does OpenLDAP have the ability (possibly via ACL's or a similar mechanism) 
>to allow certain accounts in the DIT root access to portions of the
>tree? For instance, the Admin of Org 1 has read/modify access to Org
>Unit 1, but not Org Unit 2, and vice versa for the Admin of Org 2.

Absolutely, yes.  You can use a variety of psuedo-attributes and regular
expressions to accomplish almost any model of access control.

>Alternately, is it possible to set up, via slurpd, a replica of the tree 
>so that the Main server would have a copy of the entire tree, but the
>entire Org Unit 1 structure would also live on a separate server,

Differentiated replication, yes.

>allowing total access to the root of that particular server? (Obviously
>Modify's would need to take place at the master server, but this would
>at least allow full read only access to the Organizational admin).

I cover both ACLs and differentiated replication for OpenLDAP in my LDAP
presentation.  ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf